The Importance of Security Culture
A healthy security culture is one where everyone along for the ride will habitually put on their seatbelt
Are you the type of person who always wears their seatbelt, I hope? If so, you will probably feel uncomfortable without it. The reason you get that feeling is because you’ve spent most of your life building safe habits which makes it weirder to not do it. Building a culture of security at your organization should create the same experience — it should feel uncomfortable for anyone to break their security practices.
These days, an employee can compromise an entire company with a single click. Too many organizations are learning this lesson the hard way. Whether you’re a two-person startup working from a garage or a 500+ person publicly-traded business, there are critical assets which need to be protected and every employee has the responsibility to do so.
The trap that some companies will fall into, however, is one of accountability. When it’s everyone’s responsibility, it’s no one’s. This problem isn’t created by the lack of a security program but by the lack of an effective one. In my experience, the most effective security programs are those which create a culture of security throughout the company.
Having a culture of security means moving from reactive to proactive. It provides company-wide awareness, training opportunities, and clearly-defined and communicated responsibilities. It means that every member of your organization, at every level, understands the potential threats and risks, has the tools and knowledge to protect the assets they are trusted with. It means knowing how to respond to an incident without panicking.
When I work with clients, I will ask them questions about their security program and make it clear that I don’t focus my time on auditing their code for security bugs. Sometimes they are perplexed by this because it goes against the norms they are used to and, frankly, a bad reputation created by most consultants. Instead, I focus my time with clients on what practices they currently do or don’t follow and then make recommendations for how they can improve their security culture. Some examples of strong signals that I look for include:
- If they keep a paper trail
(issue tracker, design docs, incident notes, decision notes) - If they secure access to their systems and services
(MFA/2FA, VPN, password managers, least-privilege) - If they secure their devices
(anti-virus/anti-malware, encrypted drives) - If they back up their data
- If their documentation includes security considerations
(on-boarding/off-boarding, design docs, incident response)
Here’s the thing; It’s all about finding the right balance of security for the size and stage of your organization. Most organizations don’t need a huge in-house security team or an outsized security budget. What you do need is to have the awareness of the risks that exist and the mindfulness to consider the security implications of your workflow. Done correctly, it’ll become second nature and you’ll have the confidence that everybody along for the ride is wearing their seatbelt.
Eric Higgins started Brindle Consulting to provide organizations with a better approach to building their security programs.
Special thanks to my friends Ivan Tam and Andy Chu for their feedback on this post.